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DETAILED ACTION 

1 . This is in response to the amendment on 21 December 2005. 

2. Claims 1-26 are pending in the application. 

3. Claims 1-26 stand being rejected. 

Response to Arguments 

4. Applicant's arguments with respect to claims 1-26 have been considered but are moot in view 
of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

5. Claims 10, 11 and 24-26 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Matsumoto et al US 2001/0034836 Al. 

As to claim 10, Matsumoto et al discloses a method of providing a certificate from a 
client to a third party server, the method comprising: 

receiving a request for a certificate from the third party server [0034- 

0037]; 

forwarding the request to a biometric certification server (BCS) 0034- 

0037]; 
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receiving a biometric identification from the client and forwarding the 
biometric identification to the BCS [0034-0037]; 

if the biometric identification matches a registered user on the BCS, 
receiving a certificate including a public key of the client certified by the BCS 
[0038-0040]; and 

forwarding the certificate, including the public key of the client certified 
by the BCS, to the third party server, thereby identifying the client to the third 
party server [0038-0040]. 
As to claim 11, Matsumoto et al discloses detecting an access to a certification database 
by the server, as discussed above. Matsumoto et al discloses inserting a temporary certification 
from the BCS into the certification database, as discussed above. Matsumoto et al discloses 
generating a true certificate if the server chooses the temporary certification, as discussed above. 
As to claim 24, Matsumoto et al discloses an apparatus, comprising: 

crypto-server having a crypto-proxy interface for receiving a request for a 
cryptographic function from a client on a secure connection [0042]; 

an authentication engine to authenticate a user based on biometric data 

[0042]; 

a cryptographic engine to use the user's private key, as a virtual smart 
card, to perform a requested cryptographic function [0043]; and 

the crypto-proxy interface for returning data to the client, after the 
cryptographic functions are performed [0045]. 
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As to claim 25, Matsumoto et al discloses the cryptographic service is authenticating the 
user to another server [0046], 

As to claim 26, Matsumoto et al discloses that the cryptographic service is signing or 
encrypting data [0063]. 

Claim Rejections - 35 USC § 103 
The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claims 1-4, 6-9, 22 and 23 are rejected under 35 U.S.C. 103(a) as being unpatentable 

over Matsumoto et al US 2001/0034836 Al in view of Ganesan U.S. Patent No. 5,535,276. 

As to claim 1, Matsumoto et al discloses a client requesting a cryptographic service 
[0042]. Matsumoto et al discloses establishing a secure connection between the client and a 
biometric certification server (BCS) [0040]. Matsumoto et al discloses receiving biometric data 
from a user [0034], Matsumoto et al discloses that the BCS performs the cryptographic service 
if the user is authenticated based on the biometric data [0043]. 

Matsumoto et al does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8 ? lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Matsumoto et al so that the public/private key pair 
would have been replaced by a disposable public key/private key pair. 
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It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Matsumoto et al by the teaching of Ganesan, as described 
above, because it ensures that the key is not intercepted by a third party, by disposing of the key 
after its use [column 8, lines 19-28]. 

As to claim 2, Matsumoto et al teaches that the cryptographic service is authenticating the 
user to another server [0046]. 

As to claim 3, Matsumoto et al teaches certifying the public key. Matsumoto et al 
teaches forwarding the certificate to the other server [0038-0040], 

As to claim 4, Matsumoto et al teaches that the client receives data from the other server 
for signing with the user's private key. Matsumoto et al teaches forwarding the data to the BCS. 
Matsumoto et al teaches that the BCS signing the data with the user's temporary private key 
[0063]. 

As to claim 6, Matsumoto et al teaches detecting an access to a certification database of 
the client by another server [0034]. Matsumoto et al teaches inserting a temporary certification 
from the BCS into the certification database of the client. Matsumoto et al teaches generating a 
true certificate if the other server chooses the temporary certification [0034], 

As to claim 7, Matsumoto et al teaches that the cryptographic service is signing or 
encrypting data [0063]. 

As to claim 8, Matsumoto et al teaches that retrieving a private key/public key pair for 
the user. Matsumoto et al teaches performing the cryptographic service with the private or the 
public key [0063]. 
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As to claim 9, Matsumoto et al teaches detecting an access to a certificate database of the 
client, as discussed above. Matsumoto et al teaches detecting the user attempting to perform a 
cryptographic activity [0043]. 

As to claim 22, Matsumoto et al discloses a crypto-API (application program interface) 
for receiving cryptographic function requests [0042]. Matsumoto et al discloses a cryptographic 
service provider for establishing a secure connection to a remote crypto-server [0040]. 
Matsumoto et al discloses having the crypto-server perform the cryptographic function [0043]. 
Matsumoto et al discloses a sensor for receiving biometric data from a user [0034]. Matsumoto 
et al discloses that the biometric data is sent to the crypto-server to authenticate the user and that 
the remote crypto-server is to perform the requested cryptographic function when the user is 
successfully authenticated using the biometric data [0043]. 

Matsumoto et al does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Matsumoto et al so that the public/private key pair 
would have been replaced by a disposable public key/private key pair. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Matsumoto et al by the teaching of Ganesan, as described 
above, because it ensures that the key is not intercepted by a third party, by disposing of the key 
after its use [column 8, lines 19-28]. 
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As to claim 23, Matsumoto et al discloses a crypto-API (application program interface) 
for receiving cryptographic function requests [0042]. Matsumoto et al discloses a cryptographic 
service provider for establishing a secure connection to a remote crypto-server. Matsumoto et al 
discloses having the crypto-server perform the cryptographic function [0043]. Matsumoto et al 
discloses a sensor for receiving biometric data from a user, as discussed above. Matsumoto et al 
discloses that the biometric data sent to the crypto-server to authenticate the user [0043]. 
Matsumoto et al discloses that the remote crypto-server comprises: a crypto-proxy interface for 
receiving a request for the cryptographic function from the client on the secure connection; an 
authentication engine for authenticating the user based on the biometric data; a cryptographic 
engine for performing the cryptographic functions; and the crypto-proxy interface for returning 
data to the client, after the cryptographic functions are performed [0063]. 

Matsumoto et al does not teach generating a disposable public key/private key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Matsumoto et al so that the public/private key pair 
would have been replaced by a disposable public key/private key pair. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Matsumoto et al by the teaching of Ganesan, as described 
above, because it ensures that the key is not intercepted by a third party, by disposing of the key 
after its use [column 8, lines 19-28]. 
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7. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Matsumoto et al 
US 2001/0034836 Al and Ganesan U.S. Patent No. 5,535,276 as applied to claim 1 above, 
and further in view of Brickell et al US 2001/0034836 Al. 

As to claim 5, the Matsumoto-Ganesan combination does not teach that the client 
generates a session key for use with the other server. The Matsumoto-Ganesan combination 
does not teach encrypting the session key with a public key of the other server. The Matsumoto- 
Ganesan combination does not teach that the client closes the secure connection between the 
client and the BCS once the session is established between the client and the other server. 

Brickell et al teaches that the client generates a session key for use with the other server. 
Brickell et al teaches encrypting the session key with a public key of the other server [column 8, 
lines 31-47]. Brickell et al teaches that the client closes the secure connection between the client 
and the BCS once the session is established between the client and the other server [column 8, 
lines 31-47]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified the Matsumoto-Ganesan combination so that the 
client generated a session key for use with the other server. The session key would have been 
encrypted with the public key of the other server. The client would have closed the secure 
connection between the client and the BCS once the session was established between the client 
and the other server 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified the Matsumoto-Ganesan combination by the teaching of 
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Brickell et al because the examiner asserts that this prevents a third party from intercepting the 
session key. 

8. Claim 12 is rejected under 35 U.S.C. 103(a) as being unpatentable over Matsumoto et al 
US 2001/0034836 Al in view of Ganesan U.S. Patent No. 5,535,276. 

As to claim 12, Matsumoto et al does not teach generating a disposable public key/private 
key pair. 

Ganesan teaches generating a disposable public key/private key pair [column 8, lines 19- 

28]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Matsumoto et al so that the public/private key pair 
would have been replaced by a disposable public key/private key pair. The disposable public 
key/private key pair would have been certified. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Matsumoto et al by the teaching of Ganesan, as described 
above, because it ensures that the key is not intercepted by a third party, by disposing of the key 
after its use [column 8, lines 19-28]. 

9. Claims 13-21 are rejected under 35 U.S.C. 103(a) as being unpatentable over Matsumoto 
et al US 2001/0034836 Al in view of Jakobsson U.S. Patent No. 6,587,946 Bl. 

As to claim 13, Matsumoto et al discloses an authentication engine for authenticating the 
user based on biometric data [0041]. Matsumoto et al discloses a cryptographic engine for 
performing the cryptographic functions, as discussed above. 
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Matsumoto et al does not teach a crypto-server having a crypto-proxy interface for 
receiving a request for a cryptographic function from a client on a secure connection. 
Matsumoto et al does not teach that the crypto-proxy interface returns data to the client, after the 
cryptographic functions are performed. 

Jakobsson teaches a crypto-server having a crypto-proxy interface for receiving a request 
for a cryptographic function from a client on a secure connection [column 5, lines 48-64]. 
Jakobsson teaches that the crypto-proxy interface returns data to the client, after the 
cryptographic functions are performed [column 6, lines 3-39]. 

Therefore, it would have been obvious to a person having ordinary skill in the art at the 
time the invention was made to have modified Matsumoto et al so that the authentication engine 
would have authenticated the user based on biometric data received through a crypto-proxy 
interface of the crypto-server. A crypto-server would have had a crypto-proxy interface for 
receiving a request for a cryptographic function from a client on a secure connection. A 
cryptographic engine would have performed the cryptographic functions after the authentication 
engine authenticated the user based on the biometric data. The crypto-proxy interface would 
have returned the data to the client, after the cryptographic functions was performed. 

It would have been obvious to a person having ordinary skill in the art at the time the 
invention was made to have modified Matsumoto et al by the teaching of Jakobsson because it 
is efficient, allows tight control over actions (by the use of quorum cryptography), does not 
require any pre-computation phase to set up shared keys, and has a trust model appropriate for a 
variety of settings [column 3, lines 50-58]. 
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As to claim 14, Matsumoto et al teaches that a database includes user credentials [0034]. 
Matsumoto et al teaches that the authentication engine retrieving user biometric template from 
the database and comparing the biometric template to the biometric data received from the user 
[0040]. 

As to claim 15, Matsumoto et al teaches a dynamic key generation engine for generating 
a temporary public key/private key pair, the key pair used for establishing a session between the 
client and another server, as discussed above. 

As to claim 16, Matsumoto et al teaches the cryptographic engine generating a certificate 
including the temporary public key, certified by the cryptoserver's private key [0038]. 

As to claim 17, Matsumoto et al teaches that the dynamic key generation engine 
destroying the temporary key pair after the session between the client and the other server is 
successfully established [0063]. 

As to claim 18, Matsumoto et al suggests a user self-registration interface permitting a 
user to choose a handle and register a biometric template [0037]. 

As to claim 19, Matsumoto et al teaches a registration engine for receiving biometric data 
from the user during a registration process [0046], Matsumoto et al teaches extracting the 
biometric template for the user [0046]. Matsumoto et al teaches a user credential database for 
storing the handle and the biometric template of the user [0046]. 

As to claim 20, Matsumoto et al teaches that the registration engine generates a persistent 
private key/public key pair. Matsumoto et al teaches a database for storing the persistent private 
key/public key pair [0063]. 
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As to claim 21, Matsumoto et al teaches a database for storing a persistent private 
key/public key pair. Matsumoto et al teaches that the cryptographic engine uses the persistent 
private key or public key when appropriate to perform the cryptographic functions, as discussed 
above. 

Conclusion 

10. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Aravind K. Moorthy whose telephone number is 571-272-3793. 
The examiner can normally be reached on Monday-Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 



Aravind K Moorthy 
March 14, 2006 
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